Justifying GRC Automation Costs to Your Board

by Matt Kelly on September 21st, 2018

Justifying GRC Automation Costs to Your Board

One crucial task for any chief compliance officer is to convince senior executives to invest in ethics and compliance. Today let’s look at one specific slice of that job: how to justify the investment in compliance automation.

That’s a narrower challenge than “demonstrating the ROI of compliance,” and an easier one, too. The plain truth is that compliance is something an organization must do, regardless of the ROI. Automation is simply a smarter way to do it — an investment of time and money today that should save the company even more time and money tomorrow.

It’s the “should” part that leaves board directors looking at you squinty since the corporate world is full of IT investments that didn’t reap the expected benefits. So how do you justify an investment in GRC automation effectively?

By the Numbers

To some extent, you can calculate the ROI of automation mathematically. That is, if you know which employees work on Task X, and how many hours they spend on Task X; then you can get their salary costs from the payroll department and estimate how much money the completion of Task X currently costs.

Then you determine the number of man-hours your GRC automation project would eliminate, and which man-hours they would eliminate: how many low-level hours that cost $50 each, how many supervisors’ hours that cost $100 each, and so forth. That total is your savings. If your savings are greater than the cost of the automation project, you’re headed in the right direction.

That idea seems simple, yet so often IT investments fail to meet expectations. Why?

Remember What You Really Need

The devil is in the details of determining the “total cost of ownership” (TCO) of a GRC project, and the total disruption and benefit it will bring to the business. Poor planning on either of those fronts will lead to unanticipated consequences — which leads to the board asking, “Why didn’t you think of that earlier?” a question CCOs want to avoid.

For example, your GRC automation will involve more than installing the software. Employees will need to be trained. Maintenance agreements might necessary. If the software is a cloud-based tool, you might need to provide more network access to your employees, or new equipment (tablets, for example, so they can work in the field). All of that goes into the TCO.

Also, consider the chance of future regulatory change, and whether the automation you implement now might paint you into a corner later. For example, a future regulation might require you to extract some new point of data from your third parties. If the due diligence processes you automate today can’t accommodate that new request, you’ll need to add a new manual task — defeating the whole point of automation.

Think Bigger

You also need to consider disruption to other business processes, in ways both positive and negative. For example, if your investment results in laying off 10 percent of employees who become redundant, that can change team dynamics and productivity. If the company lays off the bottom 10 percent performers but also spooks superstars into bolting elsewhere — that might not necessarily help the organization.

Conversely, if the company has enough work to retask those 10 percent to other, more productive assignments, that’s good. Or maybe you’ll automate some certain portion of the workforce at lower skills and wages, but the automation creates more room for the company to hire higher-paid workers who bring more revenue or other benefits.

Those are difficult questions, but they are what senior executives and the board confront every day. Frame your GRC automation proposal in those terms, with specific numbers to support your arguments, and you’ll be speaking their language.

Building a comprehensive structure for your compliance program is essential to effectively and efficiently mitigate risk. And while risks vary from one company to another based on industry, location, and partners – thereby disqualifying any one-size-fits-all compliance program – the underlying structure of a program can, to a reasonable extent, be broken down into a set of components.